SAS ‘05 Reducing Software Security Risk through an Integrated Approach David P. Gilliam, John D. Powell Jet Propulsion Laboratory, California Institute.

Slides:



Advertisements
Similar presentations
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Advertisements

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
1 SQA & Reuse Katerina Goseva-Popstojanova, WVU Aaron Wilson, NASA IV&V Kalynnda Berens & Richard Plastow, GRC Joanne Bechta Dugan, UVa David Gilliam JPL.
Ask Pete Acquired Software Knowledge Project - Estimation- Tool - Effort Presented to the NASA OSMA SAS ‘01 NASA IV&V Facility September 5-7, 2001 Tim.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Information Security and Assurance Center 1 Address: 615 McCallie Avenue Phone: Chattanooga TN 37403
Security Controls – What Works
Aug. 20, JPL, SoCalBSI '091 The power of bioinformatics tools in cancer research Early Detection Research Network, JPL Mentors: Dr. Chris Mattmann,
Introducing Computer and Network Security
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chapter 6 Systems Development.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Verification and Validation of Programmable Logic Devices James A. Cercone Ph.D., P.E.,James A. Cercone Ph.D., P.E., Chair and Professor of Computer ScienceChair.
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
Computer Security: Principles and Practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Developing a Chemical Risk Management Program
Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.
National Aeronautics and Space Administration SAS08_Classify_Defects_Nikora1 Software Reliability Techniques Applied to Constellation Allen P. Nikora,
IT:Network:Microsoft Applications
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
SEC835 Database and Web application security Information Security Architecture.
Process Assessment: the ‘BOOTSTRAP’ approach
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Computer Science and Engineering 1 Csilla Farkas Associate Professor Center for Information Assurance Engineering Dept. of Computer Science and Engineering.
Protective Measures at NATO Headquarters Ian Davis Head, Information Systems Service NATO Headquarters Brussels, Belgium.
Information Systems Security Computer System Life Cycle Security.
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Breakout Session 2 Group 1 Data Delivery Tim Stough, Jay Parker, Tom Heinzer, Ken Hudnut, Sang Ho Yun, Mike Burl National Aeronautics and Space Administration.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans.
1 SAS ‘05 Reducing Software Security Risk through an Integrated Approach David P. Gilliam, John D. Powell Jet Propulsion Laboratory, California Institute.
UAB IT Security Program Sallie Wright UAB AVP, Information Technology.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Slide 1V&V 10/2002 Software Quality Assurance Dr. Linda H. Rosenberg Assistant Director For Information Sciences Goddard Space Flight Center, NASA
Reducing Software Security Risk Through an Integrated Approach David Gilliam, John Powell, & John Kelly Jet Propulsion Laboratory Matt Bishop University.
August Mr. Mike Finley, CISSP Senior Security Engineer Computer Science Corporation.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Security Development Life Cycle Baking Security into Development September 2010.
Chapter 11: Policies and Procedures Security+ Guide to Network Security Fundamentals Second Edition.
CSCE 548 Secure Software Development Security Operations.
New Products from NASA’s Software Architecture Review Board
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
SAS_05_Contingency_Lutz_Tal1 Contingency Software in Autonomous Systems Robyn Lutz, JPL/Caltech & ISU Doron Tal, USRA at NASA Ames Ann Patterson-Hine,
California Institute of Technology 1 Operationalization and Enhancement of the Advanced Risk Reduction Tool (ARRT) Presentation to the 2 nd Annual NASA.
Glenn Research Center at Lewis Field Software Assurance of Web-based Applications SAWbA Tim Kurtz SAIC/GRC Software Assurance Symposium 2004.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Completing the Loop: Linking Software Features to Failures 20 July 2004 Copyright © 2004, Mountain State Information Systems, Inc. All rights reserved.
1 SAS ‘04 Reducing Software Security Risk through an Integrated Approach David P. Gilliam and John D. Powell.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Workshop on Science Associated with the Lunar Exploration Architecture - Earth Science Subcommittee Theme: A Lunar-Based Earth Observatory Science Observations.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Bob Jones EGEE Technical Director
Cybersecurity - What’s Next? June 2017
Security Standard: “reasonable security”
Information Technology Controls
Presented to the NASA OSMA SAS ‘01
Experience. Commitment. Results.
Reducing Software Security Risk Through an Integrated Approach
چرخه توسعه نرم‌افزار در ناسا
HART Technologies Process Overview
Cybersecurity Threat Assessment
Albeado - Enabling Smart Energy
Jeff Dutton/NASA COR August 26, 2019
Office of Health, Safety and Security
Presentation transcript:

SAS ‘05 Reducing Software Security Risk through an Integrated Approach David P. Gilliam, John D. Powell Jet Propulsion Laboratory, California Institute of Technology Matt Bishop University of California, Davis

July 20, 2005 David Gilliam, John Powell – Jet Propulsion Laboratory Matt Bishop – UC Davis Acknowledgement  NOTE: This research was carried out at the Jet Propulsion Laboratory, California Institute of Technology, under a contract with the National Aeronautics and Space Administration The work was sponsored by the NASA Office of Safety and Mission Assurance under the Software Assurance Research Program lead by the NASA Software IV&V Facility This activity is managed locally at JPL through the Assurance and Technology Program Office

July 20, 2005 David Gilliam, John Powell – Jet Propulsion Laboratory Matt Bishop – UC Davis Current Collaborators  David Gilliam – Principle Investigator, JPL  John Powell – JPL Software Engineer  Matt Bishop – Associate Professor of Computer Science, University of California at Davis 

July 20, 2005 David Gilliam, John Powell – Jet Propulsion Laboratory Matt Bishop – UC Davis Agenda  Goal  Problem  Approach  Importance/benefits  Relevance to NASA Accomplishments  Next steps

July 20, 2005 David Gilliam, John Powell – Jet Propulsion Laboratory Matt Bishop – UC Davis Goal  Reduce security risk to the computing environment by mitigating vulnerabilities in the software development and maintenance life cycles  Provide an instrument and tools to help avoid vulnerabilities and exposures in software  To aid in complying with security requirements and best practices

July 20, 2005 David Gilliam, John Powell – Jet Propulsion Laboratory Matt Bishop – UC Davis Problem  Cost of Fixing Security Weaknesses in Software and Systems Is Expensive  Security Weaknesses Can Lead to Loss / Corruption / Disclosure / Availability of DATA and Systems Impacting Missions  Poor Security Requirements  Poor System Engineering Leads to poor design, coding, and testing  Cycle of Penetrate and Patch  Piecemeal Approach to Security Assurance

July 20, 2005 David Gilliam, John Powell – Jet Propulsion Laboratory Matt Bishop – UC Davis Approach  Develop a Software Security Assessment Instrument for the Life Cycle Several Foci  Training/Education  Security Checklist for the Life Cycle  Application of Lightweight Formal Verification Techniques for Security Weaknesses in Code and Systems

July 20, 2005 David Gilliam, John Powell – Jet Propulsion Laboratory Matt Bishop – UC Davis Reducing Software Security Risk Through an Integrated Approach Software Vulnerabilities Expose IT Systems and Infrastructure to Security Risks Goal: Reduce Security Risk in Software and Protect IT Systems, Data, and Infrastructure Security Training for System Engineers and Developers Software Security Checklist for end-to-end life cycle Software Security Assessment Instrument (SSAI) Security Instrument Includes: Model-Based Verification Property-Based Testing Security Checklist Vulnerability Matrix Collection of security tools NASA

July 20, 2005 David Gilliam, John Powell – Jet Propulsion Laboratory Matt Bishop – UC Davis Inception-to-Retirement Process  Coincides with Organizational Polices and Requirements  Security Risk Mitigation Process in the Software Lifecycle  Software Lifecycle Integration Training Software Security Checklist  Phase 1 Provide instrument to integrate security as a formal approach to the software life cycle Requirements Driven  Phase 2: External Release of Software Release Process Vulnerability Matrix – NASA Top 20 Security Assurance Instruments  Early Development – Model Checking / FMF  Implementation – Property Based Testing Security Assessment Tools (SATs)  Description of available SATs  Pros and Cons of each and related tools with web sites  Notification Process when Software or Systems are De- Commissioned / Retired

July 20, 2005 David Gilliam, John Powell – Jet Propulsion Laboratory Matt Bishop – UC Davis Importance/Benefits  Enhances a Secure Trusted Network Environment  Reduces Cost of Maintenance  Reduces Loss or Destruction of DATA and Systems  Improves NASA’s Overall Security Posture Fewer Intrusions and Audit Findings Leads to a Better Image (OMB & Public)

July 20, 2005 David Gilliam, John Powell – Jet Propulsion Laboratory Matt Bishop – UC Davis Relevance to NASA Accomplishments  Increases NASA’s Security Reliability of Systems and Software  Helps to Prevent Negative Public Exposure Due to Security Breach  Prototyped the SSAI Instrument on PatchLink Agents Used large scale across NASA on its systems Findings leading to improved vendor product

July 20, 2005 David Gilliam, John Powell – Jet Propulsion Laboratory Matt Bishop – UC Davis Next steps  Integrate the Overall Process in the Project Life Cycle at NASA Centers

July 20, 2005 David Gilliam, John Powell – Jet Propulsion Laboratory Matt Bishop – UC Davis David Gilliam, JPL 400 Oak Grove Dr., MS Pasadena, CA Phone: (818) John Powell, JPL MS Phone: (818) Matt Bishop, UC Davis Department of Computer Science 3059 Engineering Unit II phone: +1 (530) fax: +1 (530) FOR MORE INFO...Web Site:

July 20, 2005 David Gilliam, John Powell – Jet Propulsion Laboratory Matt Bishop – UC Davis QUESTIONS? ? ? ?